Einige Inhalte dieser Anwendung sind momentan nicht verfügbar.
Wenn diese Situation weiterhin besteht, kontaktieren Sie uns bitte unterFeedback&Kontakt
1. (WO2019043157) A METHOD OF DISPLAYING CONTENT ON A SCREEN OF AN ELECTRONIC PROCESSING DEVICE
Anmerkung: Text basiert auf automatischer optischer Zeichenerkennung (OCR). Verwenden Sie bitte aus rechtlichen Gründen die PDF-Version.

A Method of Displaying Content on a Screen of an Electronic Processing Device.

Field of the Invention.

The invention relates to a computer implemented method of displaying digital content on a screen of an electronic processing device.

Background of the Invention.

A number of social media applications are available for electronic processing devices such as smart phones, tablet computers and even personal computers (PCs) which seek to display digital content such as photographs or videos without allowing the user to save the displayed content. One option for preventing displayed content such as a photograph or video being locally saved is to disable any functions on the device such as 'screenshot', 'screensave' or 'video capture' or the like. However, this option does not prevent a user from photographing or videoing the screen by way of indirectly saving the content locally.

In another field of endeavor, it is proposed in US2014/0366159 to protect digital content being displayed on a screen of a device by detecting when a number of viewers of the screen increases to more than one. In response to detecting multiple viewers, the display of the digital content is halted. However, the digital content being displayed is stored on the device and is accessible by other means.

There is therefore a need for an improved way of displaying digital content such that only an intended user can view it and that unauthorized saving or accessing the digital content locally is prevented.

Objects of the Invention.

An object of the invention is to mitigate or obviate to some degree one or more problems associated with known methods of displaying digital content.

The above object is met by the combination of features of the main claims; the subclaims disclose further advantageous embodiments of the invention.

Another object of the invention is to provide a system and method for displaying content on an electronic data processing device to an authorized user, but preventing said displayed content being locally saved or accessed on said device.

One skilled in the art will derive from the following description other objects of the invention. Therefore, the foregoing statements of object are not exhaustive and serve merely to illustrate some of the many objects of the present invention.

Summary of the Invention.

The invention provides a computer implemented method of displaying content on a screen of an electronic processing device. The method comprises a first step of receiving content to be displayed on said screen at a data processing application on said electronic processing device. The data processing application is a dedicated application for processing said received content data and is configured to perform various steps including processing the received content data into a format suitable for display on said screen. The data processing application is also configured to monitor at least one sensor of the electronic processing device such as the device's camera to receive at least one biometric data input during display of the content on the screen and to cause either a halting of the display of the content or a blurring of the screen in response to a determination of a predetermined change in said biometric data. The data processing application is also configured to not locally store said provided content on said electronic processing device and to disable any screen or video capture functionalities of the electronic processing device.

In a first main aspect, the invention provides a computer implemented method of displaying content on a screen of an electronic processing device, said method comprising the steps of: providing content to be displayed on said screen to a data processing application on said electronic processing device, said data processing application configured to perform the steps of: processing data comprising said provided content into a format suitable for display on said screen; monitoring one or more sensors of the electronic processing device to receive at least one biometric data input during display of the content; and causing one of: (i) halting display of the content; and (ii) blurring the screen in response to a determination of a predetermined change in said biometric data; wherein the data processing application is configured to not locally store said provided content on said electronic processing device.

In a second main aspect, the invention provides a non-transitory computer readable medium storing machine-readable code which, when executed by a processor, causes an electronic processing device to implement the steps of the first main aspect of the invention.

In a third main aspect, the invention provides a system for displaying content on a screen of an electronic processing device, said system comprising: a first electronic processing device in communication with a second electronic processing device, said first electronic processing device configured to transmit content to said second electronic processing device; wherein said second electronic processing device has a data processing application configured to receive said transmitted content and to perform the steps of: processing data comprising said received content into a format suitable for display on a screen; monitoring one or more sensors of said second electronic processing device to receive at least one biometric data input during display of the content; and causing one of: (i) halting display of the content; and (ii) blurring the screen in response to a determination of a predetermined change in said biometric data; wherein the data processing application is configured to not locally store said provided content on said second electronic processing device.

The summary of the invention does not necessarily disclose all the features essential for defining the invention; the invention may reside in a sub-combination of the disclosed features.

Brief Description of the Drawings.

The foregoing and further features of the present invention will be apparent from the following description of preferred embodiments which are provided by way of example only in connection with the accompanying figures, of which:

Figure 1 is a schematic diagram of a system for displaying content on an electronic processing device;

Figure 2 is a flow chart showing the process for sending content from a first electronic processing device for viewing at a second electronic processing device;

Figure 3 shows in more detail the process for user authentication for the process of Fig.

2;

Figure 4 shows in more detail the process for sending content via a server to the second electronic processing device;

Figure 5 shows a process for determining a recipient's reaction to all or part of displayed content;

Figure 6 shows a process for a user to download the content services application and to create an account;

Figure 7 shows a process for a user to add a contact to their account;

Figure 8 shows a process for a user to prepare content to be send to a contact;

Figure 9 shows a process for a contact to display received content; and

Figure 10 shows a process for using geo-location data in a group chat.

Description of Preferred Embodiments.

The following description is of preferred embodiments by way of example only and without limitation to the combination of features necessary for carrying the invention into effect.

Reference in this specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.

It should be understood that the elements shown in the FIGS, may be implemented in various forms of hardware, software or combinations thereof. Preferably, these elements are implemented in a combination of hardware and software on one or more appropriately programmed general-purpose devices, which may include a processor, memory and input/output interfaces.

The functions of the various elements shown in the figures may be provided through the use of dedicated hardware as well as hardware capable of executing software in association with appropriate software. When provided by a processor, the functions may be provided by a single dedicated processor, by a single shared processor, or by a plurality of individual processors, some of which may be shared. Moreover, explicit use of the term "processor" or "controller" should not be construed to refer exclusively to hardware capable of executing software, and may implicitly include, without limitation, digital signal processor ("DSP") hardware, read-only memory ("ROM") for storing software, random access memory ("RAM"), and non- volatile storage.

In the claims hereof, any element expressed as a means for performing a specified function is intended to encompass any way of performing that function including, for example, a) a combination of circuit elements that performs that function or b) software in any form, including, therefore, firmware, microcode or the like, combined with appropriate circuitry for executing that software to perform the function. The invention as defined by such claims resides in the fact that the functionalities provided by the various recited means are combined and brought together in the manner which the claims call for. It is thus regarded that any means that can provide those functionalities are equivalent to those shown herein.

The method of the invention generally relates to using a biometric function such as facial recognition as a condition for continual viewing of any digital content such as an image, a document or a video, etc. on a screen of an electronic processing device such as a desktop computer, a personal computer (PC), a tablet computer, or a smart phone running any known operating system such as IOS, Android or Microsoft. The process preferably involves the continual use of facial recognition linked to the visibility of the content on the device screen. So as long as a person is determined to be looking at the document or photograph displayed on the device screen, it will remain visible to that person. However, if the person looks away, the content will cease to be shown or the screen will be blurred. The content may also cease to be shown or the screen will be blurred if, for example, more than one person's face is seen through the device's camera; this will prohibit "shoulder surfing". Furthermore, the method of the invention envisages an ability to recognize inanimate instruments such as cameras, smartphones or other equipment capable of replicating the content being displayed and to respond by again ceasing display of the content on the screen or blurring the screen.

Referring to Fig. 1 of the drawings, there is provided a system 10 comprising a first electronic processing device 12 in communication through a network 14 with a second electronic processing device 16 for displaying content on a screen 18 of said second electronic processing device 16.

The first and second electronic processing devices 12, 16 may comprise the same type of electronic processing device or different types of electronic processing device and may each comprise any of a smart phone, a tablet computer, a personal computer (PC), a desktop

computer, or a server. The network 14 may comprise any of a wireless communication network such as a 4G or 5G wireless network, the internet and/or a private network such as a virtual private network (VPN) or any combination of the foregoing.

Communication of content such as digital content from the first electronic processing device 12 to the second electronic processing device 16 may be facilitated by one or more servers 20. The one or more servers 20 may also provide the function of enabling each of the first and second electronic processing devices 12, 16 to download application specific software such as an application or 'app' to configure said devices 12, 16 to implement the method as hereinafter described. The application may require a user of a device 12, 16 to become a subscriber to a content display service such that use of the service through the application is limited to listed subscribers. The content display service may be hosted on one or more of the servers 20. Where the server 20 facilitates communication of digital content from the first electronic processing device 12 to the second electronic processing device 16, the server 20 may also be provisioned with suitable application specific software including content service hosting software.

The one or more servers 20 may comprise cloud computing servers, i.e. cloud servers, and/or they may comprise dedicated application servers.

Content may comprise images such as photos or moving images such as videos, or maps, GIFs, or documents such as text documents, spreadsheets, or text messages or any other content commonly shared on social media applications or the like or commonly communicated over networks between electronic processing devices. It will be understood that the foregoing are merely examples of digital media or content which may be communicated from the first electronic processing device 12 to the second electronic processing device 16 and are not in any way limiting of the content which may be communicated between such devices. The content being communicated could also include streamed content in contrast to discrete content such as, for example, an image file.

Associated with the one or more servers 20 may be one or more databases 22, although it will be understood that the one or more databases 22 may be embodied within the servers 20. One of the databases 22 may comprise a subscriber accounts database.

In operation, at least the second electronic processing device 16, but preferably also the first electronic processing device 12, is provisioned with a data processing application 24 received in memory 26 thereof and executable by a processor 28 of said device 12,16. The execution of the data processing application 24 by the processor 28 configures the second electronic processing device 16 to receive content data transmitted to it by the first electronic processing device 12 and to receive said data by the data processing application 24. The data processing application 24 is preferably downloaded as an initial step to both the first and second electronic processing devices 12, 16 from one of the servers 20.

In the case of the second electronic processing device 16, the data processing application 24 causes said application to process data comprising the received content into a format suitable for display on the screen 18 of said device 16. The data processing application 24 is configured to monitor one or more sensors 30 of the second electronic processing device 16 to receive at least one biometric data input during display of the content on the screen 18. In response to a determination of a predetermined change in said biometric data, the data processing application 24 causes either a halting of the display of the content on the screen 18 or a blurring of the screen 18 to a degree sufficient to prevent any useful image being able to be taken of the displayed content. The data processing application 24 is configured to not locally store, and preferably also to not allow local access to, said provided content in the memory 26 of said second electronic processing device 16. Preferably, the data processing application 24 disables any screenshot or video capture functionality or the like of the device 16 for at least the duration of content being displayed normally on the screen 18 without blurring.

Preferably, the application specific data processing application 24 downloaded in an initial step to the first electronic processing device 12 configures said device 12 to communicate content for display on the second electronic processing device 16 in a protected format such as an encrypted format. The data processing application 24 of the second electronic processing device 16 is configured to extract, e.g. decrypt (i.e. unencrypt), said received content from its protected format to ready it for display on the screen 18.

It is preferred that the data processing application 24 of the second electronic processing device 16 is configured to continuously receive a stream of at least one biometric data during display of the content. The stream of at least one biometric data preferably comprises receiving image data from a camera 30 of the second electronic processing device 16 and using facial recognition software to analyze the image data to determine that a person's face is viewing the screen 18, i.e. the person is looking at the screen 18 and, by inference, is viewing the displayed content on the screen 18.

In some embodiments, the facial recognition software will be resident on at least the second electronic processing device 16 and the facial recognition process as hereinafter described will be performed locally on said second device 16. In other embodiments, the image data from the camera 30 of the second electronic processing device 16 will be transmitted to one of the servers 20 where the facial recognition process will be performed and results of such process returned to the second device 16.

Irrespective of where the facial recognition process is performed, it may include enhancements which enable a determination to be made that a person is still viewing the screen 18 of the second device 16 even when the person moves their head to some degree. This helps to reduce unnecessary interruptions in display of the content on the screen 18 where a person determined to be viewing the screen makes a modest head or eye movement, but is still viewing the screen 18. In contrast, where a person determined to be viewing the screen makes a significant head or eye movement where it can be determined that they are no longer looking at the screen 18, the data processing application 24 may cause the display of the content on the screen 18 to be halted or at least the screen 18 to be blurred such that the details of the displayed content is distorted or masked. In a further situation, where a person determined to be viewing the screen 18 makes no perceptible head and/or eye movements, the data processing application 24 may cause the display of the content on the screen 18 to be halted or at least the screen 18 blurred. This is to prevent any attempt to hold a photograph or the like within the image view of the camera 30 of the second electronic processing device 16 whilst attempting to copy or record the content displayed on the screen 18. It will be appreciated therefore that the facial recognition software could be enhanced with eye tracking software to facilitate the foregoing. In some embodiments, eye tracking software alone could be used in place of facial recognition software.

In some embodiments, it is preferred that the facial recognition process includes comparing the face of a person determined to be viewing content displayed on the screen 18 of the second device 16 to a database of authorized persons to identify that an authorized person is viewing the screen. This provides a further level of safety for the displayed content by seeking to ensure that it is viewed only by authorized users or subscribers. Furthermore, as a further check, it is preferred that other identity data is utilized to determine that the identified authorized person is also the intended recipient of the provided content. That is, that the person identified as an authorized person is also the person to whom the content was sent. The other identity data used to make this determination might include email address and/or account data associated with the second electronic processing device 16. Consequently, it is possible to not only determine that a person rather than an inanimate object such as a camera is viewing the screen 18 of the second electronic processing device 16, but that the person is an authorized subscriber and furthermore that the authorized subscriber is the intended recipient for display of the content. It will be understood that the facial recognition program may require access to facial data of authorized users/subscribers as will be hereinafter described.

In the method, a predetermined change in the biometric data may comprise using the facial recognition software and/or eye tracking software to determine any one or any combination of the fact that two or more persons are determined to be viewing the screen 18, or the disappearance from the electronic processing device's camera image view of a person determined as viewing the screen 18, or a significant head or eye movement of a person determined as viewing the screen 18, or a lack of any perceptible movement of a person determined as viewing the screen 18, or the recognition or detection of inanimate objects such as cameras or electronic devices within the electronic processing device's camera image view and/or within range of a short range radio module 32 of the second electronic processing device 16, or the absence of other biometric data inputs. The short range radio module 32 may detect through, for example, a Bluetooth™ connection the presence of other electronic devices which may be used to copy or record content being displayed on the screen 18. The data processing application 24 may be configured to receive signals from the short range radio module 32 and, in response, to cause the display of the content on the screen 18 to be halted or at least the screen 18 blurred. One example of other biometric data that can be used in addition to facial recognition or eye tracking data is fingerprint data whereby a person using the second device 16 is required to place a finger on a specified fingerprint detecting portion 34 of the screen 18 or body of the second electronic processing device 16. In such an arrangement, the person may be required to continuously hold their finger on the fingerprint detecting portion 34 to enable content to be displayed. Consequently, it may be necessary for authorized subscribers to provide fingerprint data.

In the method, the facial recognition software may be enhanced to detect movements, gestures and/or expressions of the person determined as viewing the screen. Any such movements, gestures and/or expressions may be used continue to show the provided content on the screen and/or to provide data indicative of the person's reaction to the viewed content or a portion of the viewed content. The facial recognition process may gather information on human reaction through gestures to determine the viewer's reaction to displayed digital content. That is to say, by streaming the facial recognition data while the viewer such as an authorized recipient reads or watches content, it will be possible to determine which part or parts of, for example, an image is being viewed and possible to provide analytical information to the sender of the content. By way of example, if a fashion designer sent out ten photographs of a new dress design, each with a slight variation in colour or style, it could be determined which one the viewer liked the best through facial gestures and possibly eye movements such as pupil dilation, etc.

It is also envisaged that the method could include applying a time limit to view the provided content, said time limit preferably being applied from a first viewing of said content. It is also envisaged including a limit on a number of times provided content can be opened.

More specifically, the foregoing and further features of the method herein disclosed can be better understood from the following description of flowcharts showing the process flow of the method by way of example only.

Referring to Fig. 2, shown is the content flow process 100 for sending content from the first electronic processing device 12 via the server 20 for viewing at the second electronic processing device 16.

In a first part 110 of the process 100, the content sender opens the data processing application 24 (hereinafter referred to as the content service application 24) on the first device 12. The opened content service application 24 configures the first device 12 to enable the sender to select 120 digital content from any of the memory of the device 12, an associated storage device 36 or even from the server 20 or a database associated with the server 20 where said content is intended to be only displayed to a recipient at the second device 16. The content selection step 120 may include previewing the selected content on the first device 12. In a next step 130, the sender selects a recipient from a first contact device database 38. This may comprise selecting an address for the recipient such as an email address, although other address mechanisms can be utilized. In a following step 140, a message or invitation is sent to the second device 16 alerting the recipient to an invitation to view some content. At this point, no content has been sent to the second device 16. The invite message is preferably sent via the server 20 which manages posting of messages and invitations. The server 20 has associated with it a subscriber biometric database 40.

In a next step 150, the second device 16 receives the message/invitation to view some content and the recipient opens the message/invitation. This causes the content service application 24 on the second device 16 to configure the camera 30 of the second device 16 to record images in an attempt to at least determine if a person is viewing the screen 18 of the second device 16 and more preferably that an authorized person who is also the intended recipient is the person determined as viewing the screen 18. In a decision step 160, if the determination is negative, the second device 16 is caused to send a message back to the first device 12 indicating that the person viewing the screen 18 of the second device 16 is not recognized. This message may also include a captured image of the person viewing the screen 18 of the second device 16 asking the sender if they recognize said person. At this point, no content has been sent to the second device 16. Although not shown in the flowchart 100, if, upon receiving the negative determination message, the sender indicates that they recognize the person viewing the screen they may override the negative determination at step 160 to, in effect, invoke a positive determination at this decision step 160. This may be so even if the sender, although recognizing the person viewing the screen 18, recognizes that the person viewing the screen is not the intended recipient. This enables the sender to still have the content viewed by someone they accept as being closely associated with the intended recipient.

Once a positive determination at decision step 160 is made or the sender invokes a positive determination in response to an initial negative determination i.e. overrides the initial negative determination, the process moves forward to the step 170 of sending the content to be displayed/viewed from the first device 12 to the second device 16. However, the content is not sent directly from the first device 12 to the second device 16. The content is first placed in a protected format such as being encrypted. This may occur at the first device 12 or at the server 20. The server 20 may also check 180 to ensure that the content is indeed in a protected format ready for sending. The process may include the step 190 of informing the server 20

that the recipient is recognized. In any event, the server 20 opens 200 an encrypted (protected format) channel to deliver the protected format content to the second device 16. A further message may be displayed 210 on the second device 16 to alert the recipient to receipt of the protected format content. The receipt of the protected format content at the second device 16 causes the content service application 24 to ensure the device's camera 30 is operating to capture images and to process the protected format content ready for display on the screen 18. In response to a periodic, but preferably continuous positive determination 220 by the facial recognition software and/or the eye tracking software or other biometric input software that the recipient is viewing the screen 18, the device 16 displays the content on said screen 18 in accordance with the method hereinbefore described. At any time where there is a change in the incoming biometric data from the camera and/or other sensors 30, the content service application 24 may halt 230 display of the content or blur the screen 18. The content service application 24 is configured to prevent or disable any function on the second device 16 which would enable a user of the device 16 to copy or record content being displayed in the screen and also to prevent or disable any function which would enable a user of the second device 16 to access or store in memory a copy of the unencrypted content. The content service application 24 will also halt display of the content or blur the screen 18 if there is a negative determination at decision point 220 for any reason.

Referring to Figs. 3 and 4, shown in more detail in Fig. 3 is the process 300 for user authentication and shown in more detail in Fig. 4 is the process for sending content via the server 20.

In a first part 310 of the process 300, the content sender opens the content service application 24 on the first device 12. The opened content service application 24 configures the first device 12 to enable the sender to select in a step 320 digital content and a recipient for such content. In a following step 330, a message or invitation is sent to the second device 16 alerting the recipient to an invitation to view some content. At this point, no content has been sent to the second device 16. The invite message is preferably sent via the server 20 which manages posting of messages and invitations. In a next step 340, the second device 16 sends a request to open the content, although the content has not yet been received at the second device 16. In response to the request message from the second device 16, the server 16 authenticates 350 the recipient and notifies the sender in the manner hereinbefore described.

The content is then sent 360 through the encrypted channel established by the server 20 to the second device 16. Any messages and/or data flows exchanged between the first and second devices 12, 16 and the server 20 are managed 370 by the server 20 through the encrypted channel. The recipient is then able to view 380 the content on the second device 16 as hereinbefore described.

In the process 400 depicted by Fig. 4, once a recipient is recognized, the server (cloud service) 20 opens an encrypted channel and sends the content over said channel to the second device 16. The server 20 receives 430 biometric data such as image data from the second device in order to periodically or continuously re-determine who is viewing the screen 18 of the second device 16 in accordance with the method hereinbefore described. The server 20 may also build a recognition engine using artificial intelligence (AI) to more efficiently process image data to make said determination more efficiently. In the event that the recipient is no longer recognized at decision point 440, the encrypted channel may be terminated 460 and the display of content at the second device halted or the screen 18 blurred. Furthermore, a message may be sent to the sender. Where the recipient remains recognized, the content is displayed 450.

Fig. 5 shows a process 500 for determining a recipient's reaction to all or part of displayed content. In a first step 510, the content to be displayed to the recipient is provided as hereinbefore described to the second device 16.

As before, the content is displayed 520 on the screen 18 of the second device and the camera 30 of said device 16 is activated to capture image data within the field of view of said camera 30. The captured image data is used to maintain display of the content as also hereinbefore described, but said data may also be processed 530 using the facial recognition software and/or the eye tracking software to identify movements, gestures and expressions of the recipient as a means of determining the recipient's reaction to the viewed content. In an optional step 540, the image data may be processed for only a part or parts of the content. In either case, the processing of the image data to detect movements, gestures and/or expressions of the recipient may be used to provide feedback or reports 550 to the sender of the content or others which informs the sender or others of the recipient's reaction, e.g. acceptance or refusal, of the content or a part of the displayed content.

The foregoing and further features of the method herein disclosed can additionally be better understood from the following description of process diagrams showing how users of the method open accounts with the content service application system (Fig. 1), prepare content to be displayed, and display received content, merely by way of example.

Fig. 6 shows a process for a user to download the content services application and to create an account. By way of example, a sender named Alice uses her electronic processing device 12 to establish a subscriber account with the server 20. In an initial step, the content services application 24 is downloaded to Alice's device 12 if it has not already been downloaded to her device 12. Once the content services application 24 is operable on Alice's device 12, she uses her device 12 to connect to the server 20 to set up a subscriber account. In an account set up page displayed on her device 12, Alice is required to enter her address, a password and optionally to arrange for her biometric data to be sent to the server 20. The server may store account data for subscribers in an associated account database 22. It can be seen in Fig. 6 that Bob also has set up a subscriber account. The biometric data may comprise a facial image of Alice and fingerprint data. This may be obtained through use of the camera 30 on her device 12 and a fingerprint detection part 34 of her device's screen 18, although it will be understood that such data may be provided by other means and from other sources. It will also be understood that a subscriber may be asked for other forms of identification data such as telephone numbers residential addresses, etc. In response to setting up a subscriber account, Alice's device 12 receives a private encryption key from the server 20.

Fig. 7 illustrates the adding of contacts to a user's subscriber account. In the example shown, Alice knows Bob and wishes to add him as a contact for receiving content from her for display on his electronic processing device 16. In an 'add contacts' window on her device 12, Alice can search for and find Bob's contact details and then request that his contact details be added to her subscriber account. The server 20 receives a request from Alice's device 12 to add Bob's contact details and, in response, determines whether or not Bob's contact details match an existing subscriber. In the case that there is a match, the server 20 may add Bob's contact details to Alice's subscriber account and returns an affirmative message to Alice's device 12. The server 20 may also send a message to Bob's device 16. Additionally, or alternatively, Bob's device 16 may be configured to interact with the request from Alice's device 12 to enable him to be added to her contacts. For example, the request from Alice's device may include an image of Alice as the requestor. Bob can then view the requestor's image and, if the image does not match with Alice, then Bob may deny the contact request. In the case that Bob does recognize Alice's image, he may approve the contact request. An approval of a contact request may, in addition to adding the contact to the requester' s contact list, adds a positive recognition/trustfulness feedback to the requester.

Referring to Fig. 8, shown is one method of sending content from a first device 12 to a second device 16 for display thereon. Using the foregoing example, Alice utilizes the content service application 24 on her device 12 to select content such as a picture to send to a recipient. In this example, Alice selects Bob as the contact to receive the content. Once the content and recipient are selected, Alice's device 12 connects to the server 20 to request Bob's public encryption key. Then, Alice's device 12 generates a random 256 bit key Km and uses this with AES 256 encryption to encrypt the selected picture (JPEG) data. Alice's device also uses the random 256 bit key Km with Bob's public key (bob_public_key) using RSA encryption to generate a decryption key for Bob (bob_secured_Km). The encrypted picture data (ENC. JPEG), the decryption key (bob_secured_Km) and any other content display conditions such as a limit on numbers of times the content can be opened and a time limit from first viewing are transmitted to the server 20 via the encrypted channel set up by the server 20 in readiness for sending to Bob's device 16. Consequently, the Km (encryption/decryption) key is securely wrapped, i.e. encrypted, using Bob's public key. This is to allow only Bob to decrypt the Km key using his private key. The decryption key for the JPEG data is always Km for all recipients, but it can be used, i.e. unwrapped/decrypted, by the recipients only using their respective private keys. If the key is leaked, only the recipients can decrypt it and consequently decrypt the JPEG data using the Km key. It will be understood that RSA is a known public-key cryptographic algorithm, but that any secure public -key cryptographic algorithm can be used to secure the encryption key Km.

As seen in Fig. 9, once Bob receives and opens Alice's message inviting him to view the picture, the content service application 24 on Bob's device 16 activates the camera 30 to capture image data. The captured image data is sent to the server 20 to enable it to carry out the user authentication process as hereinbefore described. On validating the image data, the server forwards the encrypted picture data (ENC. JPEG), the decryption key (bob_secured_Km) and any other content display conditions to Bob's device 12. The data is

transferred with the bob_secured_key on the same channel once the face recognition engine validates Bob's face data. The content service application 24 on Bob's device uses the decryption key (bob_secured_Km) to decrypt the picture data to display it on the screen 18. Continued display of the picture on the screen is in accordance with the method hereinbefore described. Whilst the face recognition engine is described as being hosted on the server 20, it will be understood that, in some embodiments, it can be provided on the users' devices 12, 16. In the example of Fig. 9, the face recognition engine may be provided by the content service application 24 on Bob's device 16 such that, once the camera on Bob's device 16 has captured his image, the face recognition engine on his device 16 sends a validation message to the server 20 that Bob's image is recognized. In response, the server 20 then forwards the data with the bob_secured_key on the same channel to Bob's device 16.

As an alternative to using public key encryption, the encryption and decryption keys to encrypt and decrypt messages are generated on the fly at users' devices 16 using only public pre-keys stored on the server 20 for each user. The content service application 24 generates and sends these shared public pre-keys to the server 20. These keys can be used to initialize an asynchronous message exchange with another user, for example, Alice can be offline when Bob sends a message to her. When using public/private keys as described for Fig. 9, "Bob_secured_key" is downloaded from the server 20 when the recipient's biometric data is authenticated. However, in the alternative where, in Fig. 9, public pre-keys are being used rather than public/private keys, the decryption keys are generated on the recipient's device 16 only after the recipient's biometric data is authenticated. This is because only the recipient's device 16 can decrypt messages, i.e. generate the decryption keys. The server 20 stores public pre-keys that, if compromised, are not enough to decrypt messages without the remaining private pre-keys on the recipient's local device 16.

Content may be sent to a group of subscribers, but preferably only viewed individually on their respective devices, although the sender may be able to define a group of individuals who can view content simultaneously on the same device. The content will never be stored on the recipient device, but will be uploaded from the sender and encrypted at the point of sending and decrypted within the application on the recipient's device. Furthermore, the server will not store any transmitted content thereby ensuring complete integrity of all content.

The method constantly monitors the recipient face or faces and compares them with stored facial data in a cloud server or local database. Constant monitoring may comprise continuous or periodic monitoring. Here, constant monitoring of biometric data such as facial recognition data is used to grant continual access to displayed content within the boundaries hereinbefore described.

One problem which the method of the invention addresses through constantly monitoring the biometric data such as facial recognition data to ensure that the intended recipient is the only one viewing the displayed content is to carefully control constant monitoring in a manner which prevents or at least reduces jitter between a clear display of the content and a blurred display of the content. Such jitter between clear and blurred display of the content would degrade the user experience. Therefore, to assure that the recipient is correctly repeatedly identified and yet at the same time to reduce or prevent jitter, it is preferred to use the facial recognition software to intermittently scan the face of the recipient viewing the displayed content. The rate of intermittent scanning of the recipient' s face may be every 0.25 seconds, although other time intervals may be applied depending on the type of second electronic processing device 16 being viewed by the recipient. Intermittent scanning of the recipient's face reduces the likelihood of a negative output from the facial recognition software which might occurs during continuous scanning of a face when light changes on the scanned face or the like causes resetting of the facial recognition parameters resulting in a momentary negative determination.

As described above, content may be sent from one electronic processing device 12 to another electronic processing device 16 in a one to one connection. Or, content may be sent between a group of electronic processing devices 12, 16, for example, between a group of subscribers and this may be achieved through a group chat hosted by one or more of the servers 20 through the content service application 24 on the subscribers' electronic processing devices 12, 16. In a group chat, each subscriber may be both a sender of content and a recipient of content. Each subscriber can access content for viewing on their respective devices 12, 16 in accordance with the methods hereinbefore described such that said content is sent in an encrypted format and is decrypted by the content service application 24 on the recipient device. The group chat will also be an encrypted service hosted in at least one of the servers 20, preferably as a Cloud service such that the components of the chat are all held in the Cloud and not locally on any of the devices 12, 16. The group chat content is therefore encrypted in the Cloud and then sent from the Cloud and decrypted when each recipient/subscriber requests the chat content using an encryption key held on the recipient's device as hereinbefore described. If any participant in either a one to one connection or a group chat decides to erase either a single message, attachment or total message string/content, the message, attachment or total message string/content is instantly deleted such that it can no longer be viewed on any recipient device. This ensures that the sender of content always has control of the message content such that, if they decide that they want to delete it, then at any time they can instantly delete it and the message content instantaneously deletes from the recipient's message history which is also held in the Cloud.

Preferably, one of the subscriber devices 12, 16 in a group chat is enabled to set geo-location parameters for either the whole group chat or to assign a geo-location restriction to each subscriber device within the group chat, or to apply several geo-locations to the whole or individual devices within the group chat, e.g. "office 1, 2, 3" and "home locations". Preferably, this feature is implemented by an administrator of the group chat. This feature enables exact location or locations as to where the group chat can be displayed i.e. an office location, a specific address, a city area or region. This unique feature enables the originator of content and/or the administrator to determine where the content can be displayed to the intended recipients.

This feature is preferably used in combination with the biometric data before displaying the content as illustrated by Fig. 10 which illustrates a process 600 of using one or more geo-location restrictions to display content in a group chat where the first half of the process 600 comprises the recipient authentication process and the second half of the process 600 comprises the content display process augmented with one or more geo-location restrictions.

In Fig. 10, at step 610, the user or recipient operates their electronic processing device 16 to open the content service application 24 to enter a menu screen. Whilst at the menu screen, the facial recognition software at step 620 determines if a viewer of the electronic processing device 16 is the intended recipient or an acceptable recipient and, if no, at step 630, the viewer is prevented from progressing beyond the menu screen. If yes, then in an optional step 640, other biometric data such as finger print data may be used further authenticate the viewer as the intended recipient or an acceptable recipient and, again if no, at step 650, the viewer is prevented from progressing beyond the menu screen. If yes, then at step 660, the recipient is admitted to the next screen for display of content to be displayed. At step 670, facial scanning is constantly employed, preferably, intermittently, to confirm the presence of intended recipient or an acceptable recipient viewing the screen of the electronic processing device 16, but, if a negative determination is made, then at step 680 the screen is blurred or the content is no longer displayed. If a positive determination is made at step 670, then at step 690 geo-location restriction data associated with content to be displayed is checked against a location of the electronic device 16 and, if a negative determination is made, then at step 692 the screen is blurred or the content is no longer displayed. If a positive determination is made at step 690, then at step 694 the content is displayed and at least step 670 is intermittently applied.

In an alternative or additional arrangement of process 600, the geo-location checking step 690 may be included or duplicated in the recipient authentication part of the process 600 whereby, if a negative determination is made on checking the one or more geo-location restrictions, the recipient is prevented from progressing from the menu screen.

Process 600 enables a content sender and/or a group chat administrator to condition a message, person or group chat to only be able to open the content comprising any of a message, chat or attachment when a recipient's device is within a specific pre-set geo-location. This implementation requires more than one unique condition in parallel to be met before the content can be displayed. For example, this requires positive constant face recognition and geo-location to be satisfied. It is possible to add further conditions such as a one-time code validation before content display. This might comprise a challenge response one time password (OTP) generation that is triggered by, for example, authentication of a recipient's fingerprint data. The end result is that the recipient can only display the content if he is within the geo-location, is identified using the face recognition software, has positive determination of finger print data, and correctly implements an OTP is from a challenge response system.

The method may also include augmenting the face recognition software to track movement of fixed points on the face and registering movement in one or more directions such as left and/or right. The recipient would be requested their head left, right, up or down as a random challenge.

Content ownership is a critical aspect of the method of the invention such that no form of saving, forwarding or copying of content is permitted. For example, the screenshot capability is disabled for a period of time. This is easily implemented in Android based electronic processing devices, but is not so easily implemented in iOS based devices where is it not presently possible to disable the screenshot feature as the operating system does not allow this to be done. Therefore, for iOS based devices, where a user attempts to screen shot a message screen or attachment, the method may include the immediate deletion of the message and advising the content sender and/or group chat administrator that the specific recipient has attempted a screen shot.

While the invention has been illustrated and described in detail in the drawings and foregoing description, the same is to be considered as illustrative and not restrictive in character, it being understood that only exemplary embodiments have been shown and described and do not limit the scope of the invention in any manner. It can be appreciated that any of the features described herein may be used with any embodiment. The illustrative embodiments are not exclusive of each other or of other embodiments not recited herein. Accordingly, the invention also provides embodiments that comprise combinations of one or more of the illustrative embodiments described above. Modifications and variations of the invention as herein set forth can be made without departing from the spirit and scope thereof, and, therefore, only such limitations should be imposed as are indicated by the appended claims.

In the claims which follow and in the preceding description of the invention, except where the context requires otherwise due to express language or necessary implication, the word "comprise" or variations such as "comprises" or "comprising" is used in an inclusive sense, i.e. to specify the presence of the stated features but not to preclude the presence or addition of further features in various embodiments of the invention.

It is to be understood that, if any prior art publication is referred to herein, such reference does not constitute an admission that the publication forms a part of the common general knowledge in the art.